A.6.1 Screening would include:
-
Screening Policy and Procedures: Documentation of a formal screening policy and procedures that outline the organization's approach to conducting screening activities for employees, contractors, and third-party personnel.
-
Employee Screening Records: Records of background checks and screenings conducted for all employees, including verification of their qualifications, work history, criminal background checks, and any other relevant screenings based on job roles and responsibilities.
-
Contractor and Third-Party Screening Records: Documentation of background checks and screenings performed for contractors and third-party personnel who have access to sensitive information or critical systems.
-
Screening Consistency: Evidence that the screening process is consistently applied to all individuals, irrespective of their position or role within the organization.
-
Screening Criteria: Clear criteria and guidelines for determining eligibility and suitability for employment, contract engagement, or third-party relationships based on the results of the screenings.
-
Screening Records Retention: Documentation of the retention period for screening records and compliance with relevant data protection and privacy regulations.
-
Risk Assessment: Evidence of risk assessments carried out to identify specific job roles or access levels that require higher levels of screening based on the sensitivity of information or systems accessed.
-
Screening Reviews and Audits: Records of periodic reviews and audits of the screening process to ensure compliance with the policy and procedures and to identify opportunities for improvement.
-
Incident Response and Reporting: Documentation of procedures for handling any incidents related to screening, such as false information provided by candidates or contractors.
-
Compliance with Regulations: Evidence that the organization's screening practices align with relevant employment laws, industry regulations, and data protection requirements.
By reviewing these pieces of evidence, an auditor can assess the effectiveness and consistency of the organization's screening process, ensuring that appropriate measures are in place to verify the integrity and trustworthiness of individuals with access to sensitive information and critical systems. The goal is to reduce the risk of insider threats and unauthorized access, ultimately enhancing the overall security posture of the organization.
Prior to Employment due deligence is conducted for employees, supplier and consultants condisring as relevat the below procedures; Criminal Records Checks, Drug Testing, Motor Vehicle Records Screening, Employment Verification, Supervisor/Reference Interviews, Education Verification, Licensing and Professional Certification Verification,
